Generating SPDX 3.0 SBOMs for Container Images

An SBOM (Software Bill of Materials) is a complete inventory of every component, library, and dependency in your software. SPDX 3.0 is the standard format for expressing this inventory with machine-readable license, security, and provenance data.

CleanStart generates SPDX 3.0 SBOMs automatically during image builds, enabling supply chain transparency, license compliance verification, and vulnerability correlation.

What SPDX SBOM Contains

Complete Component Inventory

Each package, library, and dependency in the image is documented with complete metadata. Every component in an SBOM is identified by a unique SPDXID that enables correlation and reference throughout the document. The version field specifies the exact package version being tracked, allowing for precise vulnerability matching across CVE databases. Checksums provide cryptographic hashes of components for integrity verification, ensuring the component matches what was expected. License information includes both the declared license and the concluded license based on scanning, along with license expressions that combine multiple licenses using AND/OR logic. Copyright statements document the copyright holders and years, important for compliance tracking. Download locations point to the authoritative source where the component can be obtained, useful for supply chain verification. Relationships define how components depend on each other, using descriptors like DEPENDS_ON to indicate dependencies and CONTAINS to indicate composition.

CleanStart SBOM Generation

Automatic Generation During Builds

CleanStart scans every layer and extracts package manager manifests including package.json, requirements.txt, go.sum, and similar files. It identifies binary dependencies through package manager databases, tracks build-time dependencies such as compilers and build tools, and captures system packages and C libraries.

Multi-Layer SBOM Creation

For images with multiple build stages, CleanStart generates comprehensive SBOMs that account for the multi-stage architecture. When an image is built using multiple stages such as a builder stage containing compilation tools and a runtime stage containing only the compiled binary, CleanStart creates separate SBOM entries for each stage to provide complete traceability. This allows you to understand not just what's in the final production image, but also what was present in intermediate build stages.

SBOM Verification and Validation

Verify SBOM Integrity

Verify SBOM signatures using cosign, validate SPDX format using spdx-tools, and check completeness by counting packages in the SBOM.

Cross-Check with Scanner

Verify SBOM accuracy by comparing with independent scanner. Generate SBOM via CleanStart, generate SBOM via Syft, compare package counts (both should identify approximately 47 packages), and identify discrepancies using diff tools.

License Compliance with SBOM

Identify Problematic Licenses

Extract license information to identify problematic licenses. Filter for restrictive licenses using jq queries. Common license categories include permissive licenses such as MIT, Apache-2.0, and BSD that allow free use with attribution required, weak copyleft licenses such as LGPL-2.1 that allow use in proprietary software, strong copyleft licenses such as GPL-2.0 and GPL-3.0 that require open-sourcing your code, and network copyleft licenses such as AGPL-3.0 that require open-sourcing even in SaaS.

Generate License Report

Generate comprehensive license reports showing permissive licenses across 42 packages, weak copyleft licenses across 3 packages, strong copyleft licenses across 2 packages marked as compliance risk, and packages with no license found.

License Blocking Policies

Enforce license policies in CI/CD by checking the SBOM for blocked licenses and failing the build if restrictive licenses are found.

Integration with Vulnerability Scanning

SBOM + CVE Correlation

Scanners use SBOM to identify vulnerabilities more accurately. Results include full package context showing which CVE affects which package, which applications use the package, how the package is used, and what impact the CVE has.

Transitive Dependency Discovery

SBOM relationships show the full dependency chain, making visible vulnerabilities in transitive dependencies even if not directly specified in package.json.

Regulatory Compliance with SBOM

NTIA Minimum Elements

SBOM must include NTIA-specified minimum elements including component name, version, supplier, SPDX ID, download location, hashes, licenses, and references. CleanStart SBOM includes all NTIA minimum elements automatically.

FedRAMP SI-2 Evidence

SBOMs satisfy FedRAMP SI-2 (Flaw Remediation) requirement to identify and manage vulnerabilities. SBOM includes exact versions for CVE matching, license information for supply chain risk, integrity hashes for version verification, and metadata timestamps for change tracking.

EU CRA Supply Chain Documentation

CleanStart SBOM satisfies EU CRA requirements for documented software composition, including component source and download location, license and copyright information, known vulnerabilities at generation time, and build reproducibility information.

Advanced SBOM Features

SBOM Delta Analysis

Track changes between image versions by generating SBOMs for two versions, comparing packages, and identifying new packages, updated packages (by version), and removed packages.

Machine Signature in SBOM

SBOM includes cryptographic proof of content through SHA-256 and SHA-512 hashes of all packages. Verify image content hasn't changed by getting SBOM from image metadata, recalculating hash, and matching against SBOM.

Best Practices

Include SBOM in Every Build Artifact

Store SBOM with container image, application binary, and Kubernetes manifests.

Regularly Scan SBOM Against CVE Databases

Daily scan of existing SBOMs using tools like Grype.

Publish SBOM for Downstream Consumers

Allow customers to verify your supply chain by making SBOM publicly accessible through cosign.

Troubleshooting

Missing Packages in SBOM

If SBOM shows fewer packages than expected, enable verbose analysis and check for unsupported package managers. CleanStart supports pip, npm, cargo, go.mod, maven, gradle, and jar archives.

License Detection Failures

If licenseDeclared is empty, manually inspect NOTICE and LICENSE files and update SBOM with detected licenses.

See Also

Vulnerability Context: vex-documents.md — Use SBOM with VEX for actionable risk assessment. Build Provenance: slsa-level-4.md — SBOM is component of SLSA evidence. Compliance Verification: fedramp-high.md — SBOM satisfies regulatory requirements.